Prepare computers to install the Endpoint Protection 12.1 client

These instructions apply to both the enterprise version and the Small Business Editions of Symantec Endpoint Protection 12.1.x client. For more specific details at any point, please consult the in-product help or the documentation specific to your version of Symantec Endpoint Protection:

• Symantec Endpoint Protection (enterprise version)
• Symantec Endpoint Protection Small Business Edition
• Symantec Network Access Control

You should take the following steps on all computers onto which you install the client:

Uninstall currently installed third-party security software or legacy Symantec virus protection software
Uninstall any third-party security software. Symantec Endpoint Protection version 12.1.1.1 (12.1. RU1 MP1) and later includes a tool to help automatically uninstall select third-party security software programs from Windows computers. See Related Articles for more details.
Otherwise, for older builds, other platforms, or in general, you can directly uninstall third-party programs. Some programs, however, have special uninstallation routines. See the documentation for the third-party software.
Uninstall any legacy Symantec virus protection software, such as Symantec AntiVirus, if migration is not supported or if you do not plan to migrate the settings. You must uninstall Symantec consumer security products under the Norton brand.

Set administrative rights to your client computers
If you do not provide users with administrative rights to their computers, use Remote Push to remotely install the client software. Remote Push requires that you use credentials that have local administrative rights to the computers, or domain administrator credentials in the Windows Active Directory domain. Remote Push is an option available through the Client Deployment Wizard, which you can launch in the Symantec Endpoint Protection Manager by clicking Home > Common Tasks > Install protection client to computers.

Prepare computers for remote deployment and management
Modify firewall settings to allow communication between Symantec Endpoint Protection components.
For Windows:

• Push deployment ports, used on management servers and clients: TCP 139 and 445, UDP 137 and 138, and TCP ephemeral ports.
• For legacy communications, open UDP port 2967 on all computers.
• General communication: TCP 8014 (HTTP)/TCP 443 (HTTPS) are the default ports for communication between the management server and the client. These ports may be customized.

For Macs (as of 12.1.5):

• Ensure that the firewall does not block the port that Secure Shell (SSH) uses, which is by default TCP port 22. This port allows the required communication for remote login.

See Related Articles for more information on communication ports.

Prepare Windows XP or Windows Server 2003 computers that are installed in workgroups: Windows XP or Windows Server 2003 computers that are installed in workgroups do not accept remote deployment by default. To permit remote deployment, disable Simple File Sharing. For more information see the following Microsoft Knowledge Base article: http://support.microsoft.com/kb/307874
Note: This limitation does not apply to computers that are part of a Windows domain.
You may also need to perform the following tasks:

• Ensure that the Administrator account does not have a blank password.
• Disable the Windows Firewall, or allow the required ports for communication between Symantec Endpoint Protection and Symantec Endpoint Protection Manager.

See Related Articles.

Prepare Windows Vista, Windows 7, or Windows Server 2008 / 2008 R2 computers: Windows User Access Control blocks local administrative accounts from remotely accessing remote administrative shares such as C$ and Admin$. You do not need to fully disable User Account Control on the client computers during the remote deployment if you disable the registry key LocalAccountTokenFilterPolicy. For more information, see the following Microsoft Knowledge Base article: http://support.microsoft.com/kb/951016
You must also perform the following tasks:

• Disable the Windows Firewall, or configure the firewall to allow the required traffic.
• Disable the Sharing Wizard.
• Enable network discovery by using the Network and Sharing Center.
• Enable the built-in administrator account and assign a password to the account.
• Verify that the account has administrator privileges.
• Disable or remove Windows Defender.

Prepare Windows 8 or Windows Server 2012 computers*, Windows 8.1 or Windows Server 2012 R2 computers**, or Windows 8.1 Update 1 or Windows Server 2012 R2 Update 1***: Before you deploy, perform the following tasks:

• Disable the Windows Firewall, or configure the firewall to allow the required traffic.
• To allow the correct access for User Access Control, create the registry key LocalAccountTokenFilterPolicy as described above.
• Enable and start the Remote Registry service.
• Disable or remove Windows Defender.

* = Supported by Symantec Endpoint Protection 12.1.2 (12.1 RU2) or later
** = Supported by Symantec Endpoint Protection 12.1.4 (12.1 RU4) or later
*** = Supported by Symantec Endpoint Protection 12.1.4.1 (12.1 RU4 MP1) or later

Prepare Macs****:

• Enable Remote Login and either allow access for all users, or only for specific users, such as Administrators. You can find this setting on the Mac computer under System Preferences > Sharing > Remote Login.
• If you use the Mac firewall, disable stealth mode. With stealth mode enabled, the remote push installation cannot discover the client through Search Network.
  To disable stealth mode on the Mac, see the following Apple knowledge base article that applies to your version of the Mac operating system.
  • For 10.8, OS X Mountain Lion: Prevent others from discovering your computer
  • For 10.9, OS X Mavericks: Prevent others from discovering your Mac
  • For 10.10, OS X Yosemite: Prevent others from discovering your Mac

**** = Supported by Symantec Endpoint Protection 12.1.5 (12.1 RU5)

Prepare Windows Server 2003 computers for installation using a remote desktop connection: The Symantec Endpoint Protection Manager requires access to the system registry for installation and normal operation. To prepare a Windows Server 2003 computer on which you plan to use a remote desktop connection to install Symantec Endpoint Protection Manager, perform the following tasks:

• Configure the Windows Server 2003 computer to allow remote control.
  See the following Microsoft Knowledge Base article: http://support.microsoft.com/kb/814590
• Connect to the Windows Server 2003 computer from a remote computer by using a remote console session, or by shadowing the console session.
  See the following Microsoft Knowledge Base article: http://support.microsoft.com/kb/278845